package main

import (
	"github.com/gin-gonic/gin"
	"html/template"
	"net/http"
)

func TextTemplateHandler(ctx *gin.Context) {
	message := ctx.Query("message")

	// 解析模板文件
	t, err := template.ParseFiles("template.html")

	// 定义数据
	data := struct {
		Title   string
		Heading string
		Message string
	}{
		Title:   "My Page",
		Heading: "Welcome to My Page",
		Message: message,	//未做安全限制，存在代码注入漏洞
	}

	err = t.Execute(ctx.Writer, data)
	if err != nil {
		ctx.String(http.StatusInternalServerError, "Error: %v", err)
		return
	}
}

func main() {
	engine := gin.Default()
	// http://0.0.0.0:9000/index?message=%3Cscript%3Ealert(1)%3C/script%3E
	engine.GET("/index", TextTemplateHandler)
	engine.Run("0.0.0.0:9000")
}